Add wireguard

2025-10-31 19:06:58 +01:00 · 2025-10-31 19:06:58 +01:00 · 30630c8508
commit 30630c8508
parent 5e0c257caf
8 changed files with 49 additions and 13 deletions
--- a/keys/secrets.nix
+++ b/keys/secrets.nix
@ -12,6 +12,6 @@ in
  "wg-selene".publicKeys = macbook ++ selene ++ master;
  "wg-macbook".publicKeys = macbook ++ master;
  "hetzner.priv".publicKeys = macbook ++ selene ++ master ++ ren;
-  "wg-ren".publicKeys = macbook++master;
+  "wg-ren.priv".publicKeys = macbook++master++ren;
  "ren.priv".publicKeys = master ++ ren;
 }
--- a/keys/wg-ren
+++ b/keys/wg-ren
@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 M7OTMg QdJds7EpXMyyO9aKmqQg3HWmY6RQbzkQxRQw+K9fn14
 /SlvfJAOmCqYvIOZm/ZSynAIWSC+2dAvPpa+5Me6I8k
 -> ssh-ed25519 CJLJQg MqNRTuwFcRdZ5VFbcgXQwjRxMAHLJEdUKLuXFPtkRVc
 qRaaJzGRPiW2doetErhhUKwUXitvsQ5CGl2QzGK44Ss
 --- fCQGYqP7qr+S1tzDeyce5Bn4iWsXq+kIe/ojPNj0LVA
 ¹4µZŽÁ“Çi"Õž3ÄÞW+€i¾ï9ç8Íßž=¼<>Œ¿u°ÃnB’ÚÂy]@›[X[]²	X—„Ã›5ªîÌœðîö¢íÄz°lÊ@
--- a/keys/wg-ren.priv
+++ b/keys/wg-ren.priv
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 M7OTMg 8nknZVXc9jRQ9EIoeZQPfVFc3AsN+ZNaiSPeIWMVNyQ
 hjICGDFoRD2hsUOBmdp25kkd0r/VaMCV2qwc32zOHsY
 -> ssh-ed25519 CJLJQg Z6xiZlQsQ0WrHJL/rfKjqg4UJS6sbToZz+HeYcWdAxQ
 Z8On7Lpm5wPj3Trp1tU1nz8G1L19Ko4TmfCOcV9dRqw
 -> ssh-ed25519 pvX1bw Wwz7stGctuhK51nIvvWJpraC+p1MnctIobNTcfiPoRc
 sMd9qVUGTGVZMLNdm4r5qNu/05nxMfibdpdSZ9IFv1g
 --- ScMClS6qUPytP3iOk9isrnxfS52ykFVWYfxYoqAxAg4
 âÀpjxœCù
²IŒ1~/Ÿ´`à¤ÀYbÞ¿Bkxb<78>Eèé®êD)¶úÜL{C
V/}AÖž¹º
 I‘
 ÂŒÑùéÁf#Ôñc
--- a/keys/wg-ren.pub
+++ b/keys/wg-ren.pub
@ -1 +1 @@
-wvTFERFXOPcgziLtLtfF3LGv5zmBWikCy/yLRwSuxWA=
+6wo2BVWvdXIkrqHaZFag4t7LcmiaiUIX4M/EeHrjwHE=
--- a/modules/servermodules/wireguard/wireguard-server.nix
+++ b/modules/servermodules/wireguard/wireguard-server.nix
@ -54,10 +54,7 @@ in
          peers = [
            # List of allowed peers.
            (import ../../../systems/macbook/wireguard.nix).peerConfig
-            {
+            (import ../../../systems/ren/wireguard.nix).peerConfig
              publicKey = (builtins.readFile ../../../keys/wg-ren.pub);
              allowedIPs = [ "10.100.0.3/32" ];
            }
          ];
        };
      };
--- a/systems/ren/system.nix
+++ b/systems/ren/system.nix
@ -34,5 +34,6 @@ nixpkgs.lib.nixosSystem {
    ./hardware.nix
    agenix.nixosModules.default
    ./volumes.nix
    (import ./wireguard.nix).systemModule
  ];
 }
--- a/systems/ren/users.nix
+++ b/systems/ren/users.nix
@ -1,3 +1,4 @@
 { pkgs, ... }:
 {
  users.users.ren = {
    isNormalUser = true;
@ -24,5 +25,6 @@
    (builtins.readFile ../../keys/hetzner.pub)
  ];
  age.identityPaths = [ "/home/ren/.ssh/id_ed25519" ];
  environment.systemPackages = [ pkgs.git ];
 }
--- a/systems/ren/wireguard.nix
+++ b/systems/ren/wireguard.nix
@ -0,0 +1,32 @@
 let 
  ip = "10.100.0.3/32";
  publicKey = (builtins.readFile ../../keys/wg-ren.pub);
 in
 {
  systemModule = { config, ... }: {
    age.secrets.wg-private.file = ../../keys/wg-ren.priv;
    networking.wg-quick.interfaces.wg-selene = {
      privateKeyFile = config.age.secrets.wg-private.path;
      # The internal IP address assigned to this client by the server.
      # The /24 subnet mask is important for knowing the VPN's local network.
      address = [ ip ];
      # DNS server(s) to use when the tunnel is active.
      # This is critical for resolving hostnames when all traffic is routed.
      dns = [
        "1.1.1.1"
        "1.0.0.1"
      ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
      peers = [
        (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
      ];
    };
  };
  peerConfig = {
    publicKey = publicKey;
    allowedIPs = [ip];
  };
 }
`@ -1 +1 @@`
	`wvTFERFXOPcgziLtLtfF3LGv5zmBWikCy/yLRwSuxWA=`	`6wo2BVWvdXIkrqHaZFag4t7LcmiaiUIX4M/EeHrjwHE=`